Tested Versions

Product URLs

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

The ping feature of the Moxa AWK-3131A WAP web application is vulnerable to OS command injection. No obfuscation or encoding is needed - it appears there is no filtering of user input. Entering an OS command that is preceded with a ; results in the command being executed by the OS with root permissions.

Exploit Proof-of-Concept (optional)

An authenticated user may obtain a remote shell with root privilages by entering the following in the ping input box:

; /bin/busybox telnetd -l/bin/sh -p9999

then telnet to port 9999. The attacker will be connected to a /bin/sh shell as the root user, without needing to enter any credentials.

Mitigation (optional)

Exploitation of the vulnerable parameter requires authentication to the web application. However, commands are executed by the operating system as the root user, negating any user-level privilege enforcement by the web application.